Contributed by Dengue on from the apply-errata-folks dept.
"GOBBLES Security a non-profit security organization just released source code to exploit Apache on OpenBSD. Its interesting to read the source and see all the comments made by this group to theo. http://online.securityfocus.com/news/493 "
Patch your systems folks.
(Comments are closed)
By Vincent Foley () on
Comments
By Vincent Foley () on
Comments
By earx () on
no mail for this exploit !
Comments
By Paul () on
No one-liner to fix the bug. (i.e. "pkg_add fix_my_damn_hole_before_it_is_exploited") -- part of making systems secure is making security easy. I run openbsd because I *don't want* to spend a lot of time thinking about security.
No announcement on the front page of openbsd.org.
openbsd.org still claims "Five years without a remote hole in the default install!" Is there something I misunderstand about what "remote hole" means?
I'm losing faith here.
Comments
By Not Really Anonymous () on
The whole remote hole statement, I wouldn't get to bent on that, the fact is, the OpenBSD team has rocked, spending a lot of time and effort into this project.
By earx () on
but why they didn't inform us of the hole ?
i didn"t read bugtraq and i wait for mail
of the security-announce mailing !
Comments
By Cabal () on
Comments
By Rudy () on
By mirabile () on irc.openprojects.net:6667 #OpenBSD
A server crash is no root exploit.
A httpd exploit is no root exploit, but a wwwrun exploit.
wwwrun != uid0
Comments
By it is () on
http://online.securityfocus.com/attachment/2002-06-20/apache-scalp.c
Comments
By gwyllion () on
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
http://mak.freeshell.org/exploited.txt
http://www.anuzis.net/apachescalp.txt
Comments
By anonymous () on
Comments
By gwyllion () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Not Really Anonymous () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Someone () on
And why didnt Monkey.org report that Fragroute(r) and Dsniff was backdoored until he was confronted on Bugtraq ? The arrogance...
Comments
By Anonymous Coward () on
By Anonymous Coward () on
why not read and find your answers? the compromise of monkey.org had nothing to do with apache.
By Anonymous Coward () on
By Anonymous Coward () on
By pravus () abuse@aol.com on mailto:abuse@aol.com
why is there no announcement on the front page? a better question would be: "why should there be?"
really, if you are a server admin who doesn't frequent security bulletin sites, you aren't really an admin. and if you want to parade around as a simple "user" of the OS, that's fine. just don't expect people to care about your system being insecure.
the software you run is your choice. if you don't agree with the vendor's support policies, move to a different platform. it's just that simple.
and the remote hole statment holds true. i still can't understand why that statement causes so much confusion. take the OpenBSD install... select the DEFAULT options... what you get is the *gasp* DEFAULT INSTALL. and is apache enabled? *gasp* NO! *gasp*
is it clear now?
By RC () on
By webmaster () on localhost
Comments
By mak () root@bofhnet.org on mailto:root@bofhnet.org
http://www.snort.org/article.html?id=108
Comments
By Mike () on
Can anyone else confirm that the apache scalp code at packetstormsecurity.com is functional?
Comments
By mak () root@bofhnet.org on mailto:root@bofhnet.org
http://mak.freeshell.org/exploited.txt
Comments
By Anonymous Coward () on
"0day OpenBSD local kernel exploit"
?
Comments
By Anonymous Coward () on
By Bilou () bilou@sina.com on mailto:bilou@sina.com
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Michael Anuzis () michael_anuzis@hotmail.com on http://www.anuzis.net
The exploit is not remote root, it effects apache's children that either run as "nobody" or "www"
See: http://www.anuzis.net/apachescalp.txt
p.s. Running it on port 8080 with pf redirection would make ~no difference in the result of the compromise.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
BTW, the "fundamental cause of most exploits these days" are stupid programmers. If all software was a well written as Apache, Postfix, and BIND 9, we wouldn't need to consider changes to the traditional Unix security model.
By Ben Johnson () ben-openbsd@remove.johnsonworld.this.com on www.johnsonworld.com
Ther *was* some logic in having root hold sway over the lower ports - an unix server that could launch an attack would by default have to be logged in a root or comprimised. This limited the amount of computers that could lauch an attack.
Now that everybody has a Windows box, and a DIY Unix is easy - every computer can launch an attack.
The compeling idea that you should only give a process the bare minimum resources to function should hold sway over the tradition of root for low ports. If it's too hard to masage Apache et al into not using root - then there should be another process that monitors them for 'appropriate' behaviour.Example: any spawn of Apache should be killed if it attempts to spawn a shell.
But what do I know - I just buy the CDs and paste the stickers.
Comments
By Michael Anuzis () on http://www.anuzis.net
By Anonymous Coward () on
Comments
By Not Really Anonymous () on
By gnudutch () on
Does anybody have the quick fix???
Comments
By gwyllion () on
By Anonymous Coward () on
By pravus () on
By BokLM () boklm@mars-attacks.org on http://www.mars-attacks.org
Why do they keep this on the website !!
If they consider that apache is not a part of the default install (it is installed but not running), that's stupid and most OS could say the same...
OpenBSD is a good and secure OS, but I think that saying "no remote hole in the default install" is not true. I think it would be good to remove this from the website...
Comments
By submicron () on
Comments
By Bill Gates () on
Remember, "MS-DOS is simply the best secure OS in the world."
By Anonymous Coward () on
exploit on a default install. VERY few.;; only one;;
Stupid is having to go through and turn off a bunch of
services before you feel safe.
--
Smart is an OS that lets the admin decide what to run.
Why is this so hard to understand?
If the service is not on, the user is safe.
By gwyllion () on
Comments
By Anonymous Coward () on
end of discussion
By Not Really Anonymous () on
I don't know anyone who would only use a secure OS as their only means of making sure their information is secure.
If you do care about that statement, why? Does the OS only depend on this statement?
Also, I could understand if OpenBSD was a commercial product, because then they would be able to use that "statement" to market themselves, but they are not.
Unlike Oracles claims that their database software is "unbreakable", why don't people go after that?
By Anonymous Coward () on
I happened to leave on a business trip for a week exactly on the same date as the exploit was released. I could not patch the apache running on our company's server until after 4 days later. Guess what? When I came back and looked over the logs I could see clearly that our server was broken into using that Gobbles exploit. No major harm was done, since www user is not that powerful on my server, but database that is normally accessed via web interface, was screwed up badly - I had to restore it from a week old backup.
Morale:
1. Patch your systems as quickly as possible;
2. Backup! Backup! Backup!